PSC Newsletter- Evilpain/Blackworm to strike 3 Feb

PSC Newsletter-A new month, a new mass media virus alert to come
Tuesday, 31 January 2006

February's first major story is likely to be a worm called "Blackworm." According to the security industry "buzz," this one is the "Armageddon" we've all been promised in earlier press releases and then some. And in some respects, for those who are still infected, it very well could be a more destructive nasty than many seen recently. And of course, for those using BOClean, it's a non-issue as usual.

Back on January 14th, one of our "spotters" in Japan saw a "warez" site in China ("warez" sites usually offer hacked versions of software or "keygens" which allow people to activate commercial or shareware software without paying for it) which offered a version of the popular "WINZIP" program for download. On a lark, he downloaded it and forwarded it to our BOClean lab team for analysis. It turned out to be a rather malicious worm. As a result, on our January 14th BOClean update, we included this worm (which by our policies of trying to use the actual name of trojans rather than the antivirus industry's obfuscation of the name) we dubbed "EVILPAIN" after the name of the item found within its heavily encrypted memory image.

A few days later, ranging from January 15th when LURHQ discovered an increase in traffic to the 20th when numerous antivirus companies started to detect this worm, we began receiving copies of this in our emails from infected users around the globe who didn't use our BOClean product, which already detected this item. As the antiviruses began to cover it, the names "blackworm," "My wife," and "CME-24" were attached to this nasty. As of the January 31 BOClean update, we changed the name of our covered trojan from "EVILPAIN" to "EVILPAIN(BLACKWORM)" because some of our customers have asked if we covered it already.

What is so special about EVILPAIN(Blackworm) ?

Most worms are designed to propagate and perhaps do things like setting up a "relay" on victim machines to create a "spam post office" or perhaps a "porn server" or even steal banking and credit card information through the use of a persistent "key logger." Most, beyond their intended purpose are largely not destructive beyond the victimization of the person who chooses to download "freebies" or mistakenly open an email attachment. This one is different from the usual worms in that it intends to destroy the computer system which hosts it every month on the third of that month. On February 3, this worm will begin to destroy any computer which it has infected. This makes it a substantial worry.

When a machine containing this infection is started on the third of the month, it will begin to delete any files of the following types at about 30 minutes or so after startup:

*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp

These are usually data files associated with various office files ranging from documents to powerpoint presentations, spreadsheets, ZIP and RAR files and Adobe Photoshop(tm) files. It will replace the original contents of the above file extensions with an error message which states, "DATA Error [47 0F 94 93 F4 K5]." completely replacing the contents of the original files. The worm will begin its swath of destruction about 30 minutes after the calendar flop, or upon bootup, whichever happens first. For those organizations that have NOT backed up the above file types prior to infection, then any existing data will be irretrievably lost.

In addition, when a machine is infected by this worm, major antiviruses such as Norton AntiVirus, McAfee, Trend Micro PC-cillin, Panda Antivirus, Kaspersky, CA/eTrust EZ and AVG are specifically targetted for removal as are others. BOClean is UNAFFECTED. The worm also disables the following:

The worm was first released on January 14th (possibly earlier, this was our own "first discovery" date. Within days, we saw numerous copies of EVILPAIN received on our mail servers from infected parties who had our email address in their browser caches. BOClean had this one covered as of the 14th, and therefore we have to assume that the worms which arrived on our email servers were from our other customers who had NSClean, IEClean or Filevac and not BOClean, or were from people who had browsed our site and weren't customers at all.

The levels of infected computers reached a crescendo during the last week of January whereupon the number of emails containing the worm dropped precipitously in the last few days indicating that many people who had been infected finally had their antivirus updates or BOClean updates and the worm mitigation was finally in progress. As of January 31, only a small handful of worm copies continued to arrive here. So this means that the peak of activity of this worm is on the "downside." However, there are still enough people infected that the worm is still active even if it's on the wane. Therefore ...

Recommendations

Naturally, for those not using BOClean: Be certain that your antivirus is updated. Although we've seen the "usual suspects" repack the worm with different compactors and encrypters and "seed" new cases of it which aren't detected by some antiviruses as "variants" as BOClean will, MOST antiviruses cover the majority of these. For those antiviruses which have not yet covered the "variants" it is expected that they will given the widespread nature of "EVILPAIN(Blackworm)." Be CERTAIN that your antivirus is up to date prior to the February 3 "trigger" of the damaging portion of this worm and that computers under your control have been scanned by close of business on 2 February. Please ALSO note that this worm will also spread through "network shares" and therefore if one machine in a network with access to "shares" is infected, other machines can be RE-infected as it "discovers" uninfected machines on your network, and copies a fresh copy of itself there. Note that 3 February is the "trigger date" and therefore, your house has to be cleaned prior to the calendar flip to ensure that reinfection will not occur. The MOST important aspect of this particular worm is its design to spread through "windows sharing" vectors. This also explains the prevalance of this worm in other nations where internet service is provided under the same means to "desktops" as it is in the usual corporate environments. This worm is obviously targetted towards corporate and institutional users rather than the general public, and thus this advisory.

Prudent administration also applies - admins should be certain to force their desktops to backup any files with the file extensions mentioned above so that if a machine is infected with this worm and manages to destroy the previously mentioned filetypes, that backups are available to repair any affected desktops as of 3 February. It would be prudent to force backups of that data whether or not a machine can be ascertained to be clean or not.

BOClean customers:

BOClean has detected this nasty since 14 January, and will spot any repacked or encrypted variants of EVILPAIN(Blackworm) and therefore there should be no concern among our customers. This information is provided solely as an advisory in case not all machines in the corporate environment are protected by BOClean. Those machines should be scanned by close of business on 2 February by your usual antivirus and in the absence of BOClean on those machines, backing up of the data files described in this newsletter should be undertaken anyway as a precaution. All that is required on 3 February is that a sole machine on the network be infected and ready to spread. Given the dynamics of this particular worm, precautions are recommended. We STRONGLY urge that backups of the data filetypes described be performed as a precaution against possible data loss should the worm somehow affect machines not already protected by BOClean in your client base.